FKIE_CVE-2026-21569

Vulnerability from fkie_nvd - Published: 2026-01-28 01:16 - Updated: 2026-02-02 13:22
Severity ?
7.9 (High) - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H
Summary
This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program.
References
security@atlassian.comhttps://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819Vendor Advisory
security@atlassian.comhttps://jira.atlassian.com/browse/CWD-6453Vendor Advisory, Issue Tracking
Impacted products
Vendor Product Version
atlassian crowd *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D58C58C-051C-4A3E-BEC8-296F8086DDF5",
              "versionEndExcluding": "7.1.3",
              "versionStartIncluding": "7.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. \n\t\n\tThis XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. \n\t\n\tAtlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). \n\t\n\tThis vulnerability was reported via our Atlassian (Internal) program."
    },
    {
      "lang": "es",
      "value": "Esta vulnerabilidad XXE (inyecci\u00f3n de entidad externa XML) de alta gravedad fue introducida en la versi\u00f3n 7.1.0 de Crowd Data Center y Server.\n\nEsta vulnerabilidad XXE (inyecci\u00f3n de entidad externa XML), con una puntuaci\u00f3n CVSS de 7.9, permite a un atacante autenticado acceder a contenido local y remoto, lo que tiene un alto impacto en la confidencialidad, bajo impacto en la integridad, alto impacto en la disponibilidad y no requiere interacci\u00f3n del usuario.\n\nAtlassian recomienda que los clientes de Crowd Data Center y Server actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas compatibles especificadas:\n\n* Crowd Data Center y Server 7.1: Actualice a una versi\u00f3n mayor o igual a 7.1.3\n\nConsulte las notas de la versi\u00f3n (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). Puede descargar la \u00faltima versi\u00f3n de Crowd Data Center y Server desde el centro de descargas (https://www.atlassian.com/software/crowd/download-archive).\n\nEsta vulnerabilidad fue reportada a trav\u00e9s de nuestro programa Atlassian (Interno)."
    }
  ],
  "id": "CVE-2026-21569",
  "lastModified": "2026-02-02T13:22:24.383",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.9,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 6.0,
        "source": "security@atlassian.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-28T01:16:14.187",
  "references": [
    {
      "source": "security@atlassian.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819"
    },
    {
      "source": "security@atlassian.com",
      "tags": [
        "Vendor Advisory",
        "Issue Tracking"
      ],
      "url": "https://jira.atlassian.com/browse/CWD-6453"
    }
  ],
  "sourceIdentifier": "security@atlassian.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.